Yahoo now thinks all 3B accounts were impacted by 2013 breach, not 1B as thought

Today Yahoo sent out a notice disclosing that a further investigation of the 2013 breach has produced new evidence. The company now believes that all of its three billion accounts were impacted, not 1 billion as it previously thought. This will include all people who have Yahoo emails, and all people who had registered for any other Yahoo service like Flickr or fantasy sports.

The company, now a part of Oath after it was acquired by Verizon for $4.5 billion and merged with AOL (which also owns TechCrunch), said that it discovered the new evidence while integrating the companies.

It tried to mitigate the blow today by noting that when the 2013 breach was discovered and disclosed — in 2016 — the company “took action to protect all accounts.”

Those measures involved directly notifying impacted users “identified at the time,” requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Because Yahoo said it took action to protect all accounts previously, “No additional notifications regarding the cookie forging activity are being sent in connection with this update.”

This is not just a major blow to public confidence in Yahoo, but to Verizon, which had already received a discount of $350 million on its acquisition price for the company because of the initial findings from the breach.

“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, Chief Information Security Officer, Verizon. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”

For affected accounts, Yahoo said the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

“The investigation indicates that the information that was stolen did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected,” said the company. More details here.

Coupled with the revelation in September of the Equifax breach, today’s developments tell a dark story about how some of the biggest and oldest institutions on the web are some of the most vulnerable to malicious hackers.

Yahoo’s provided a list of guidelines for what to do to secure your account. And whether you are still sticking with the company after all this, or whether you are using other services, they are generally good rules of thumb if you don’t follow them already:

Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo Account (or whatever account happens to have been breached).

Review your accounts for suspicious activity.

Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.

Avoid clicking on links or downloading attachments from suspicious emails.

Apps that provide account keys to eliminate you needing to use passwords at all can also be useful.

The full notice from Yahoo is below:

NEW YORK, N.Y., October 3, 2017-Yahoo, now part of Oath, today announced that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected. In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website.

Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.

“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, Chief Information Security Officer, Verizon. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”